| Summary: | 碩士 === 國立臺灣科技大學 === 資訊工程系 === 104 === The cyber-criminals infect victim machines successfully under any circumstances, they must disperse and install malware into victim machines as many as possible. Through the drive-by download attack is a direct way to accomplish installing malware programs by allure victims into to the infected Web page, when victims access those Web pages, and trigger the injected shellcode, the drive-by download attacks is automatically downloaded and springs the malware program as soon as it can. Even if the Antivirus solutions and blacklists can defend drive-by download attack, the effect of solutions is not availability. Because the Cyber-criminals uses the obfuscated variants of malware technology and quickly churning through domains or IP address technology to evade antivirus solutions and blacklists detection. In recent years, the researchers propose a new direction to identify the drive-by-download attacks in the installation phase by "zoom-out" view of drive-by-download behaviors. However, current soloutions need considerable number of browsing records from users of ISP scale. This solution may not work in the enterprise scale of network environment or insufficient historical browsing data. In this study, we propose "Ziffersystem", a system that detects infections in the targeted enterprise. "Ziffersystem" work on the insufficient network traffic and have good effect to result. "Ziffersystem" includes two modules, i.e.: Malicious Orchestrated Behaviors Modeling and Orchestrated Behaviors Detector. The Malicious Orchestrated Behaviors Modeling help "Ziffersystem" getting the stronger “evil seed” to modeling malicious construction and this system do not need a large scale networks data(e.g. IPS traffic) to model the malicious activity, specifically the enterprise which has few network traffic and high sensitivity data or low security protect. Then our system structures the malicious neighbor construction, this malicious neighbor construction will display the malicious download behavior feature that cannot identify by single malicious download.The Orchestrated Behaviors Detector of the "Ziffersystem" is focus on detect the telltale signs of the malicious network infrastructures that orchestrate these malware installations that become apparent when looking at the collective traffic produced and becomes apparent when looking at the collective traffic produced by many users in the targeted enterprise. This system calculates how the input data are close to malicious candidates, and assesses whether it is the Malware Distribution. We rank the input data by network traffic features(e.g. Server IP, Domain, Path) to decide their score, and input data that similar with Malware Distribution have the potential of exposing distinct parts of the malicious activity, which may otherwise remain undetected. Our system analyze 78,033,562 URL from the government Proxy logs with 4,624 real hosts. we detect a total of 37 malicious domain. The 37 malicious domain include 26 detected also by antivirus products labeled, We also implement a Malware Distribution Identification tool named "Ziffersystem" that automate the describing of Malware Distribution and the assessment of malicious orchestrated behaviors.
|
|---|
